HashiCorp Vault 1.0 released with batch tokens, updated UI and more

Yesterday, HashiCorp announced HashiCorp Vault 1.0. It is a tool that can be used to manage secrets and protect sensitive data for infrastructures and applications. This first major release focuses on high performance and scalability in workloads.

Batch tokens in Vault 1.0

They are a new type of token with support for ephemeral, high-performance workloads. Batch tokens do not write to disk, and thereby significantly reduce the performance cost of any operations within the Vault. The tradeoff is that batch tokens are not persistent. Therefore they will not be of much use in long-lived or ongoing operations or any operations that require token resiliency.

Due to their ephemeral nature, batch tokens are good for large batches of operations with a single purpose like using a transit secret engine. However, they are not good for operations like persistent secret access within a K/V engine.

Cloud Auto Unseal open sourced

Cloud Auto Unseal is open sourced in Vault 1.0. This allows Vault users to leverage cloud services like AWS KMS, Azure Key Vault, and GCP CKMS. It is open sourced to simplify storing and reassembling Shamir’s keys for users. HSM-based Auto Unseal and Seal-Wrap will remain as features within Vault Enterprise. They are typically deployed to conform with government and regulatory compliance requirements.

OpenAPI in Vault 1.0

The latest release of Vault supports the OpenAPI standard by the Open API Initiative. This standard provides vendor-neutral description format for API calls. By using the /sys/internal/specs/openapi endpoint, Vault can now generate an OpenAPI v3 document describing mounted backends and endpoint capabilities for a token’s permissions.

A new updated UI

There have been significant UI upgrades in vault leading up to 1.0. These upgrades include:

Wizards to help introduce new users to get started with Vault

New, updated screens to show users how to mount auth methods and secret engines

Support to manage key versioning within the K/V v2 secrets engine

Other UI updates to help ensure simple Vault deployment, initialization, and management

Expanded Alibaba Cloud integration

Features for operating Vault with and within Alibaba Cloud is now expanded. In Vault 1.0, Alibaba Cloud KMS is supported as a Seal-Wrap and Auto Unseal target. The Alibaba Cloud Auth Method is now a supported interface for Auto Auth within Vault Agent.

GCP CKMS secret engine

A new secrets engine is added for managing cryptographic operations within GCP CKMS. With this interface, users can perform tasks like transit-like decrypt/encrypt operations, key creation, and key management within external GCP CKMS systems.

Other features

The credential used by the AWS secret engine can be rotated to ensure that only Vault knows the credentials. With a new operator migrate command, users can do offline migration of data between two storage backends. Keys in transit secret engine can be trimmed which allows removal of older unused key versions.